By Deven McGraw
Today the HHS Office for Civil Rights (OCR) announced its second settlement in its initiative to more robustly enforce the HIPAA Right of Access. This settlement, involving alleged violation of the HIPAA Right of Access by Korunda Medical, LLC (Korunda), was for $85,000 and obligates Korunda to adhere to a robust corrective action plan for a year.
For years, OCR enforced the Right of Access largely by counseling entities on their obligations to get patients their health data (OCR calls this providing “technical assistance”). But in February 2019, OCR announced that it was launching a new initiative to more robustly enforce this key patient right through monetary settlements and robust corrective action plans (or through imposition of civil monetary penalties where necessary). Within months of this announcement (September 2019), OCR released its first settlement with Bayfront Health St. Petersburg (Bayfront).
The first settlement demonstrated that OCR was serious about its commitment to launch a robust Right of Access enforcement initiative, and this second settlement reinforces that conclusion. No doubt – OCR is actively investigating complaints about violations of the Right of Access and pursuing them.
Here’s what’s interesting about this latest settlement.
In the press release, OCR made clear that the alleged violations in the Korunda case involved more than just delay in getting records to the patient. In this case, Korunda – in addition to not providing the records within the 30 day timeframe – allegedly did not provide the records in the format requested (electronic) to the patient’s third party designee and charged unreasonable fees to boot. (In Bayfront, the press release and resolution agreement were focused just on the more-than-a-year delay between when the patient requested the records and when they were finally delivered to her.)
As we have emphasized in our Patient Record Scorecard, the HIPAA Right of Access provides individuals with the right to have their health information sent directly to the third party of their choice – and all of the key components of the Right of Access, including the limitations on fees that can be charged, the 30 day timing requirement, and the requirement to send information in the form and format requested by the patient (as long as it is “readily producible”), still apply to that request.
We have experience with entities not complying with HIPAA when patients request information be sent to third party designees. At Ciitizen, our users’ HIPAA access requests direct that their health information be sent to Ciitizen as their “third party” destination. Initially, these requests are often treated as though they are not patient requests– which translates into resistance to fulfilling the request and often the imposition of high fees. As a result, we regularly have to educate medical records department supervisors and privacy officials on the patient’s right to have information sent to a third party designee, provided at a reasonable cost. Because it often takes work to get your complete medical records (including images and other information not widely available through a portal,) services like Ciitizen are key to enabling patients (particularly those who are sick) to actually exercise their Right of Access. Consequently, we are pleased to see OCR pursue and quickly reach settlement in a case involving a patient’s request to have his or her records sent directly to a third party designee, as this is a critical aspect of the Right of Access.
In the Bayfront case, I noted on Twitter and in discussions with reporters that while the actual settlement amount was low compared to other OCR settled HIPAA cases, the one-year corrective action plan is quite robust and requires Bayfront to work closely with OCR to get robust policies into place and assure its workforce is properly trained. The corrective action plan in the Korunda settlement is similarly robust on policies and training- but it also includes a unique provision requiring Korunda to submit a list of access requests to HHS on a quarterly basis, along with details on how they were processed, including the fees charged. This should help assure that Korunda will get into compliance – and remain in compliance – with the Right of Access, at least through the duration of the plan.
We have learned at Ciitizen that Release of Information (ROI) vendors – who are business associates – can play a make-or-break role for a covered entity in assuring they are in compliance with the Right of Access. Re-reading the Bayfront corrective action plan, I noticed an emphasis on assuring that its “relevant business associates” were also trained on the Right of Access, suggesting that an ROI vendor likely was involved in the conduct at issue. Bayfront also is required to provide OCR with the names of all of its business associates who receive and/or fulfill access requests, and the absence of similar provisions in the Korunda corrective action plan suggests either Korunda did not use vendors to handle right of Access requests, or the actions of a vendor were not an issue in that case.
Two other interesting items to note: in Korunda, OCR acted very quickly to respond to a patient’s right of access request. Having received an initial complaint from a patient about Korunda on March 6, 2019, they responded only 12 days later (March 18) by providing Korunda with technical assistance on its obligations under the HIPAA Privacy Rule. When OCR received a second Right of Access complaint about Korunda on March 22, they turned around just a few weeks later (May 8), notifying Korunda that the Office was launching a more fulsome investigation of this complaint. The Korunda settlement was then announced today, about 7 months after the investigation was launched. We’re more accustomed to OCR investigations taking years to resolve, particularly in complex cases involving data breaches and multiple alleged Security Rule violations. In contrast, this pace of this case underscores OCR’s commitment to making a difference with its Right of Access enforcement initiative. Quick resolution of these cases helps individuals get their records more quickly and sends a message to industry that HHS is serious about raising the bar on compliance with the Right of Access and is focusing resources on getting fast results.
It is interesting – but likely just a coincidence – that both Right of Access cases involved providers in Florida and the same settlement amount ($85,000). Providers both inside and outside of the State of Florida should take notice.